[omniORB] Bug in the cdrStream::unmarshalRawString

Serguei Kolos Serguei.Kolos at cern.ch
Mon Mar 13 16:07:56 GMT 2006


Hello

As a follow up - the reported issue might be more complicated when one 
would look
to it carefully. On many platforms malloc(0) returns a valid address, 
which means that
one can not recognize 0-length strings by pointers to them. The only way 
to know something
about that string is to call the strlen function. The issue is that 
strlen tries to find the first
zero in the given string, which has two consequences:
1. it reads at least 1 byte of unallocated memory
2. it seems there is no guarantee that 0-length memory pointer will 
always points to the byte
    with zero value, in which case situation may be even worse and 
strlen may return incorrect
    string length.

May be it is worth thinking about returning 0 as a pointer to 0-length 
string from
the cdrStream::unmarshalRawString function?

Cheers,
Sergei

Serguei Kolos wrote:

> Hello
>
> I believe there is a bug in the cdrStream::unmarshalRawString function
> (src/lib/omniORB/orbcore/corbaString.cc file). If the length of the 
> unmarshalled
> string is zero (variable len, which is equal to string length + 1, is 
> 1), the line 183 of
> that file reads unallocated byte and throws an exception if this byte 
> is not 0.
>
> 183: if (s[len-1] != '\0')
> 184:    OMNIORB_THROW(MARSHAL,MARSHAL_StringNotEndWithNull,
> 185:                 (CORBA::CompletionStatus)completion());
>
> Cheers,
> Sergei
>
> PS: the bug has been found with valgrind
>
> _______________________________________________
> omniORB-list mailing list
> omniORB-list at omniorb-support.com
> http://www.omniorb-support.com/mailman/listinfo/omniorb-list





More information about the omniORB-list mailing list